From cd2f098adea5864c42adeccf5774a673f294bbe1 Mon Sep 17 00:00:00 2001 From: Syed Mohammed Nayyar Date: Tue, 30 Jun 2026 15:29:35 +0530 Subject: [PATCH] use SecureRandom for digest auth cnonce --- client/src/main/java/org/asynchttpclient/Realm.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/client/src/main/java/org/asynchttpclient/Realm.java b/client/src/main/java/org/asynchttpclient/Realm.java index 768a72f6a..c7b983161 100644 --- a/client/src/main/java/org/asynchttpclient/Realm.java +++ b/client/src/main/java/org/asynchttpclient/Realm.java @@ -24,9 +24,9 @@ import java.nio.charset.Charset; import java.security.MessageDigest; +import java.security.SecureRandom; import java.util.Arrays; import java.util.Map; -import java.util.concurrent.ThreadLocalRandom; import static java.nio.charset.StandardCharsets.ISO_8859_1; import static java.nio.charset.StandardCharsets.UTF_8; @@ -283,6 +283,9 @@ public enum AuthScheme { */ public static class Builder { + // cnonce must be unpredictable (RFC 7616 section 3.3), like the NTLM and SCRAM nonces + private static final SecureRandom CNONCE_RANDOM = new SecureRandom(); + private final @Nullable String principal; private final @Nullable String password; private @Nullable AuthScheme scheme; @@ -610,7 +613,7 @@ public Builder parseProxyAuthenticateHeader(String headerLine) { private void newCnonce(MessageDigest md) { byte[] b = new byte[8]; - ThreadLocalRandom.current().nextBytes(b); + CNONCE_RANDOM.nextBytes(b); byte[] full = md.digest(b); // trim to first 8 bytes → 16 hex chars byte[] small = Arrays.copyOf(full, Math.min(8, full.length));